[vpn-help] Updated package and problem reports

Matthew Grooms mgrooms at shrew.net
Wed Aug 16 00:05:35 CDT 2006 

Peter Eisch wrote:
> On 8/15/06 11:00 PM, "Matthew Grooms" <mgrooms at shrew.net> wrote:
> 
>> Peter Eisch wrote:
>>> As an example, this is just from selecting ³Windows Update² on the XP box.
>>>
>> Hmmm, I will look into this tomorrow and attempt to find a solution to
>> the problem.
>>
> 
> Tonight's test of NAT-T:both went well.  There is still the issue noted
> above, but she popped right up.
> 
> I have a cisco capable of crytpo, experience on cisco but little patience to
> figure out an equivalent config of what I'm doing with racoon.  Might you
> have some config excerpts handy that might be sufficient bread crumbs so I
> can throw it into my group of system tests?
> 
> Thanks,
> 
> 

Peter,

I'm not sure if the remote access options are available outside a pix, 
vpn concentrator or ASA. But here are the basics ...

1) define a transform set ( phase 2 parameters )
2) define a dynamic crypto map that uses the transform
3) define a standard crypto map and apply it to an interface
4) apply the dynamic crypto map to your standard crypto map
5) define any isakmp policies allowed ( phase 1 parameters )
6) define a tunnel group for remote access ( ipsec-ra ) and params
    a) client address assignment ( dhcp or a pool )
    b) xauth user db source ( aaa or local )
    c) group pre-shared key
    d) etc ... ( general-attributes and ipsec-attributes )

You may need to also define a default group-policy for the users.

For example ...

crypto ipsec transform-set XFORM_3DES_MD5 esp-3des esp-md5-hmac
crypto dynamic-map MAP_VPNCLIENT 1 set transform-set XFORM_3DES_MD5
crypto map MAP_PROD 65535 ipsec-isakmp dynamic MAP_VPNCLIENT
crypto map MAP_PROD interface outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
tunnel-group <group name> type ipsec-ra
tunnel-group <group name> general-attributes
  ...
tunnel-group <group name> ipsec-attributes
  ...

Anyways, this should at least get you moving in the right direction :)

Thanks again,

-Matthew

More information about the vpn-help mailing list